Using Session Variables for User Login - sometimes they don't persist... what am I doing wrong?

Hi all,
I'm running a site that requires user login.  I approached the building of this site as almost a complete newb to CF (and dynamic coding in general), and it's been a great learing experience (with lots of help from you guys).
However, I guess I never learned the correct way to handle a user login.  It seemed to me that I could just test the user-entered credentials against those stored in a database, then set a session variable containg that user's record number.  Then, not only would I have an easy way of knowing who this user was and therefore what info to serve him, but I could test for the existence of a valid login on every page in the protected folder, by adding this code to my application.cfc in that folder:
<cfset This.Sessionmanagement=true>
<cfset This.Sessiontimeout="#createtimespan(0,8,0,0)#">
   <cfif NOT isDefined ("session.username") or NOT isDefined ("session.password") or NOT isDefined ("session.storeID")>
     <cflocation url="../index.cfm" addtoken="no">
   </cfif>
...and it goes on to run a query and verify that the session.username and session.password match for the store defined by session.storeID.  If not, all session variables are cleared and it bounces you back to the login page.  When the user clicks Logout, all I do is delete all the session variables.
This seemed to work great for like a year, but lately I've been getting reports that the login doesn't seem to persist for longer than approx. 20 minutes of inactivity.  You can see I specified session variables to remain active for 8 hours (I know that seems like a drastically long login, but it's what's necessary for this application).  I've only gotten this report from a few people, and I myself can't seem to duplicate it... I've tested an inactive login for 45 minutes now and it held.
SO:  any reason you can think of why session variables would be spontaneously clearing for some people?  Would having your router reset its IP address invalidate the session or something?  Also, the problem seemed to begin appearing after my host upgraded all their servers to CF9... could there be any relation?
And on a more general note... did I go about this completely the wrong way to begin with?  If so, what's the standard way to manage a login?
Lots of questions, I know... thanks very much for any answers or suggestions!
Joe

Ian,
Thanks very much - very helpful information.
Sounds like passing the tokens in every request is probably the way to go for this.  I don't think it's likely that any users will be sharing links, unless they actually intend for the recipient to see their info anyway.
Is that all I would have to do, is add the tokens to every path?  Would that guarantee that all the session variables would remain valid until timeout or being cleared?
Again, thanks, you've been really helpful.
Joe
On Jun 23, 2010 4:37 PM, Ian Skinner &lt;[email protected]&gt; wrote:
Unfortunately this is the nature of HTTP web applications.  There is NO state maintained from HTTP request to request.  This is by design in the HTTP protocol specifications.
ColdFusion provides two methods to circumvent this limitation.  Each method has limitations and caveats.  They both rely on the passing of tokens between the client and the server with every request.  These tokens can be passed as cookies OR URL (GET) variables.  You are using the cookie method, which is the simpler and most common. You may be experiencing the limitation of this method.  If something happens to the cookies the session can be lost.
You could pass the (CFID &amp; CFTOKEN) OR JESSIONID tokens through the URL query string with every request.  This requires one to add these values to every link, form action, cflocation or other request path in our application.  ColdFusion provides the session.urltoken variable to make this easier to do.  The tokens will be visible to the user.  Also if the links with an individual token is share with other users, via e-mail, chat, social networks, etc and one of these users utilize the link during the life of a session (8 hours apparently in your case).  Then that user will access the session of the original user.
Cookie session management is by far the most common choice by CF developers.  If these methods do not meet your needs you would need to go beyond the HTTP limitations of web applications.  One might be able to accomplish this with a Flex|Air|Flash applications that can be configured to use a continuous connection to the server.  Thus not suffer the stateless nature of the normal HTTP request-response cycle.
I do not know if a router resetting would cause cookies to be discarded or otherwise invalidated.  But I would not think it is beyond the relm of possibilities.

Similar Messages

  • Sometimes my photos upload to sites likeFB or Kijiji and sometimes they won't? What am I doing wrong?

    My MAC OS X Lion vesrion 10.7.5 will upload photos from iPhoto to sites like Facebook or kijiji or photo editing sites and sometimes it just won't? WHat can I do to fix this problem? Very inconsistent?
    Thanks so much

    No, that would not be the problem. Lightroom can manage images on any hard drive that is connected to your computer. In all probability your monitor is set so that it is too saturated and too bright. Your monitor probably needs to be calibrated. The best way to do that is to use a hardware calibration device. I have adjusted my monitor using the Windows tools and the adjustments on my monitor. The real "pros" will tell you that is not a good way to do it. And I know that. But it has worked for me. I adjusted my monitor until the monitor looked like one of the images or prints. And then adjusted accordingly in Lightroom.

  • I purchased the Adobe pdf Pack to combine 50 PDF files to one and when I select them from my folder it claims "the files are not in a format not supported for conversion to PDF".  They already are pdfs, what am I doing wrong?".

    I purchased the Adobe pdf Pack to combine 50 PDF files to one and when I select them from my folder it claims "the files are not in a format supported for conversion to PDF".  They already are pdfs, what am I doing wrong?

    Moved to Adobe PDF Pack (read only)

  • ExportPDF - I can't download my converted document.  When I try to download,  It asks for my id and password and when  supply it asks for it again and again... What am I doing wrong?

    ExportPDF - I can't download my converted document.  When I try to download,  It asks for my id and password and when  supply it asks for it again and again... What am I doing wrong?

    Hi jow75,
    I'm sorry to hear that you're having trouble downloading your files. Please try the following:
    Clear the browser cache and try again.
    Try a different browser (see System requirements | Acrobat.com for a list of supported browsers).
    Make sure that you're using the correct Adobe ID and password.
    Please let us know how it goes.
    Best,
    Sara

  • I follow the instructions of swiping up from the bottom for the control panel, but nothing appears. What am I doing wrong or what do I need to be turned on or off?

    I follow the instructions of swiping up from the bottom for the control panel, but nothing appears. What am I doing wrong or what do I need to be turned on or off?

    "If you're on your home screen, where your apps and folders are, you can't."
    I can on mine.
    For anyone having this issue, take your device out of the case and try it naked before trying a reset, restore or Genius Bar appointment.

  • I must have a setting wrong on PSE 10.  When I use selection tool and select color, it is always blue.  What am I doing wrong?

    I must have a setting wrong on PSE 10.  When I want to fill a selection with color, I choose the color but it always comes up blue.  What am I doing wrong?

    What IP address does the TC have and what IP does the computer have?
    We need more info as we really have no idea what your network looks like.
    Modem router, model, type of broadband?
    TC setup as bridge or router?
    Is the computer getting internet via the TC?
    Are you using wireless or ethernet?
    Have you set IPv6 correctly to local link in the computer on whichever network client is doing the connection?
    Did this work the first time for backup and has now failed? If so simply reboot the TC. It is a constant bug that the TC is lost to the network.

  • Use BEx variable for user input data, not to filter.

    Hi,
    I have a situation where I am displaying notification task data.  Each header notif has a number of tasks.  These tasks are marked either newest, oldest or no mark (in the middle) for each different task code.
    Using VKF's and by passing the user entered variables for newest and oldest I am able to make KF calculations.
    So if I have a notif that is like this:
    Notif XYZ
      Task 1  Code: SCM     Date: 1/1/2000
      Task 2  Code: SCM     Date: 1/4/2000
      Task 3  Code: SCK     Date: 1/10/2000
    If the user selects Newest = SCM and Oldest = SCK
    The key figure would use those 2 different notif tasks to calculate.
    This works fine.
    My problem now is that since the data is displayed at the line level.  When the user enteres his choices for task code, BEx will filter to find one single task item that has both the Newest and Oldest values that the user entered.  It will return no data.
    Example:
    NOTIF    TASK      NEWEST     OLDEST
    XYZ.........1.......SCM
    XYZ.........3..................SCK
    If user enteres Newest = SCM and OLDEST = SCK
    It will look for one line with both value, returning nothing.
    So, I want to simply use the BEx selection screen to pass values to my virtual code (which I already have working)-  but I do not want the report to filter on a notification that only has both values as OLDEST and NEWEST tasks.
    Is this possible?  To deactivate the BEx filtering for two infoobjects thus only passing the user entered values to my CMOD code?
    Any help/suggestions would be appreciated.
    Thanks in advance,
    Brandon

    Hi Prakash,
    Can you explain what you mean?  I know using a text variable would allow me to take the user entry and apply it to the header of a column... but how would it disable filtering on what was entered?
    Thx

  • Ipad and Iphone show offline on find my phone, but they are both on, what am I doing wrong

    My iphone was lost and im trying to locate it using find my phone however it says all devices are offline!
    I have my Ipad thats connected to the same apple id and the find my phone is enabled and im currently connected to my home wifi as well as hotspot, but, it says offline!
    What am I missing, please help me fix this so I can attempt to find my phone!
    Thank you

    If the location of the device is unknown, then it will show up as offline.  It's quite possible that your router has not been properly registered by your provider to show its location.  Also your device has be be turned on and connected to wifi.
    As for iphones, they shouldn't have this router problem, since they are also connected to cell towers.
    Did you ever test all your devices before, at home, to see if they could be located.  If they were found, then my hypothesis in the first paragraph is probably not correct.  You might test your ipad at another location, like a mall to see if you can find it using the Find My iPhone app.

  • HT4528 I have transferred my videos from lg chocolate phone to the iphone5s but they will not play what am I doing wrong?

    My videos have been transferred from my old LG chocolate phone which had a sim card to the new iphone 5s  ...but they are coming accross as photos and will not play...I do not want to lose these videos and I am almost ready to return the new iphone 5s...help

    I tried to move them to my computer but my computer keeps telling me that I need some kind of download to be able to transfer them . A driver...
    Went to two Verizon stores and they have the same problem...I am ready to return this phone...these videos are special and I don't want to lose them.
    Not sure what format these videos are most likely mp4's

  • I have used your recommended method over and over and over without success. what am i doing wrong????

    I just cannot seem to create a desktop shortcut using your recommended method.

    Not sure what method you are following or what you are actually trying to do.
    If you wish to create a shortcut to a site and have Firefox open:<br /> Drag the tab to the desktop, but do that by dragging the icon on the end of the location bar, not the tab itself. Dragging the tab is used to repossition the tab on the tab bar or to move it to a new Firefox window.

  • Each time that I sign in to Adobe I have to search for my files and my purchased package. What am i doing wrong? Why can't I just sign in and be taken to my package and documents?

    I find the Adobe site to be very unfriendly. I believe that I should be able to sign in and be taken to my purchased package (PDF Converter, Cloud, etc), without having to spend 5 minutes searching the site. I would appreciate any tips as it takes me longer to convert 1 PDF than it does to create the 5 Excel documents that I need to convert.

    Hi lakepretty,
    Are you logging in directly to https://cloud.acrobat.com/exportpdf? That should take you directly to where you need to be. (You could also bookmark that page in your web browser, which would make it even easier to get there!).
    Please let us know if you have additional questions.
    Best,
    Sara

  • In Aperture using the external photo editor Adobe photoshop elements 10 editor.  My photo will not come back to aperture unless the photo is saved on the desktop and then imported back to Aperture. What am I doing wrong?

    Using Adobe Photoshop Elements 10 Editor as external editor in Aperture.  The issue is once i make the changes in Photoshop it request that I save (use tiff) and the photo is not update in Aperture.  What am I doing wrong?

    Marianne,
    how do you save? Photoshop Elements can save either versions or overwrite the original file, afaik.
    You need to set the save preferences, so that it will write to the original file and not write a version. Also the filename extension should be "tiff" and not the default "tif" (I think you did that already).
    Regards
    Léonie

  • Dates Format in Promts using Session Variables

    Hi Experts,
    I have an issue in controlling date format in prompts using session variable which I am using to set default value.
    By default date format is timestamp E.g '2010-12-19 12:00:00 AM'.
    As per requriement(s) I customized the date format in Reports as 19-Dec-2010 and I saved it as "System Wide Default for <Date Column Name> "
    So, I got desired format in Reports and Date Prompts.
    Now, I need to set a default value in Date Prompt. So, in RPD I created a Session Variable which returned me date in
    DD-MON-YYYY format. Using follwing SQL :
    SELECT REPLACE(CONVERT(VARCHAR(11), Getdate (), 106), ' ', '-') AS [DD-Mon-YYYY]
    But in reports takes this value as string and not Datetime. So i got an error message.
    A datetime value was expected (received "19-Dec-2010").
    If i do not use above SQL to CONVERT date then default date in prompt get displayed as timestamp format and give me desired results but Formatting looks very odd in prompt
    Is this a way so I can persist the [DD-Mon-YYYY] Formatting for default value which comes using variable and still run the report.
    Above problem also exist vice versa that is if i SET that session variable and pass the datetime value to server. But there i guess I can use ToDate or some Casting in RPD column expression to handle that. Tell me if i am right ?
    Thanks
    Saurabh

    That almost works. I had to adjust the syntax to the following...and then there are other issues doing this.
    select cust_no, name,'@{session.currentUser}' from customersMy write-back SQL is this:
    UPDATE customers SET NAME='@{c1}',LAST_EDITED_BY='@{c2}' WHERE CUST_NO=@{c0}But I don't want to display the cust_no column to the user. So I hide it in the UI. But if I do that I get the below error during write-back. Apparently sometimes when you hide a column on a direct query (numeric maybe?) the value doesn't transfer over to the write-back. If that's the case, this won't work for me. Hmm...
    Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P
    State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43093] An error occurred while processing the EXECUTE PHYSICAL statement. [nQSError: 17001] Oracle Error code: 936, message: ORA-00936: missing expression at OCI call OCIStmtExecute: UPDATE customers SET NAME='Wyatt Donnely',LAST_EDITED_BY='Administrator' WHERE CUST_NO= . [nQSError: 17011] SQL statement execution failed. (HY000)
    SQL Issued: EXECUTE PHYSICAL CONNECTION POOL dev1 UPDATE customers SET NAME='Wyatt Donnely',LAST_EDITED_BY='Administrator' WHERE CUST_NO=

  • Use Session Variable with row-wise initialization

    Hello,
    I use an initialization block in order to load some translations in my repository (version is 11.1.1.6.BP1) :
    SQL :
    SELECT CODE_KEY, STRING_VALUE FROM "TABLES" WHERE  LANGUAGE_KEY= 'VALUEOF(NQ_SESSION.USERLOCALE)'
    Values :
    CN_INCOMING, Incoming, en
    CN_OUTGOING, Outgoing, en
    CN_INCOMING, Réception, fr
    CN_OUTGOING, Emission, fr
    etc ...
    I checked the row-wise intialization.
    The query is correct and returns the right values (I check in the log file ..).
    So far, So good.
    But when I want to use session variables in a column expression (in repository) like  :
    CASE WHEN "column"="xx" THEN VALUEOF(NQ_SESSION."CN_INCOMING")  ELSE VALUEOF(NQ_SESSION."CN_OUTGOING") END
    I got the error: [nQSError: 23006] The session variable, NQ_SESSION.CN_OUTGOING, has no value definition.
    If I used the same formula directly in Answers it's working correctly.
    Do I have to necessarily do this in answers or is there a way to do this in the repository.
    Thanks in advance
    Regards
    Benjamin

    Yes I already tested this point, when I don't use a row wise initialization it's working, but I don't want to create one variable for each translations that I need to use in column formula if you know what I mean.
    I don't understand why we can't use this kind of variable in this context ..but if I have to create the column in my analysis, I will do that, but it's not really user friendly
    Anyway thanks for your time.

  • Page Specific Persistence using Session Variables

    Hi, I have read a lot about using session variables to persist the ReportDocument object across page loads.  This works fine if you have just one page open with one report.  The problem I am having is I have a web application that makes 30 or 40 different reports available to the user.  To simplify the code and make it easier to add new reports I have developed a single template aspx page that can be used to view any of the reports.
    My problem is that if the user opens 2 different reports in 2 separate tabs in the browser then the session variable persistence doesn't work because the session variable is available to both tabs.
    Is there a way to persist the ReportDocument object which is 'page' specific.
    Thanks

    Your best option is likely to have something that makes the session variable names unique.  I've done such things as putting the current datetime in the url as a querystring parameter and appending that to the variable name.  On each postback that querystring should persist.
    You might be able to use the reportclientdocument object and serialize the report and persist through view state, haven't tried this with inproc ras though.  A sample that uses the ras sdk can be found [here|http://wiki.sdn.sap.com/wiki/display/BOBJ/NETRASSDK+Samples]

Maybe you are looking for